Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

A destructive piece of malware, similar in function to the program used to delete data on tens of thousands of computers at a Middle Eastern oil conglomerate, caused widespread outages March 19 at major businesses in South Korea, IT security firms confirmed on March 20.

The malware, dubbed "Jokra" by security firm Symantec, wipes all data from any hard drive connected to an infected computer—a tactic similar to the August 2012 attacks on oil giant Saudi Aramco that was reportedly carried out by Iran and referred to by U.S. Defense Secretary Leon Panetta as "the most destructive attack that the private sector has seen to date."

The Jokra attack deletes data on hard drives and has reportedly caused network outages at major banks and broadcasters, Symantec said in a brief analysis of the malware.

The destructive actions of the malware narrow down the lists of suspects responsible for the attack, said Liam O Murchu, manager of security response operations of Symantec's North American operations.

Further reading

"There is no particular benefit to be gained from wiping hard drives," he said. "If they were stealing information, such as credit-card information or intellectual property, then you could understand there were some benefits beyond just destruction.” However, in this case it appeared the goal of the attack was to be disruptive so its objective was to computers offline, O Murchu said.

The most obvious suspicions fall on North Korea, which blamed the United States and South Korea for a network outage that took the country intermittently offline for two days the week of March 11.

The latest attack caused visible network outages at major Korean corporations, including the Korea Broadcasting System, Yonhap News Network, Shinhan Bank and the Korea Gas Corp. according to data published by Internet monitoring service Renesys.

"It is impossible to know from connectivity measurements alone whether these outages were the direct result of cyber-attacks," Doug Madory, senior research engineer with Renesys, stated in a blog post. "However, given the recent rhetoric between these two nations, it is hard not to see these as ominous developments on the Korean peninsula."

The outages could easily be a side effect of the massive damage caused by Jokra. Starting with the master boot record—a critical sector that contains important information on the logical structure of the drive—the malware overwrites an infected system's hard disk using either the word "HASTATI" or "PRINCPES ," according to Symantec.

Both are terms—or suggestive of terms—from military history. Hastati are the poor or young inexperienced men who fight in the first rank of early Roman legions, while Principes were wealthier men in their prime who fought in the second rank using heavier arms and better armor, according to Wikipedia.

The term Hastati also appeared in the recent Halo movie, Forward Unto Dawn, referring to a specific squad of cadets. Considering South Korea's history of electronic gaming and game-related hacking, the use of the term could suggest an alternative theory as to the motives behind the attack.

"A lot of gamers have these sort of more destructive tendencies, where they will boot you from a game and it's not seen as such a big deal," O Murchu said. "So it could be that someone annoyed the attackers and they are getting back at them."

Yet, such an explanation would likely be supported by other evidence connecting the attack to the Korean gaming scene, he said.

Recently, the military and U.S. intelligence community ranked cyber-attacks as potentially more significant than the threat of terrorism. With the diplomatic situation heating up on the Korean peninsula over attacks in the digital realm, those assertions appear to have been borne out.

A Pentagon spokesman, Lt. Col. Damien Pickart, made it clear in a statement to Bloomberg that the United States considers such attacks serious.

“The United States has a strong and enduring alliance with the Republic of Korea and is firmly committed to the defense of Korea in any domain—to include cyberspace,” Pickart said in a statement emailed to the news agency.

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.